diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-09-01 09:00:35 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-09-02 15:59:07 +0100 |
| commit | de3e7e6f29303e121599d413b97763946e2f39df (patch) | |
| tree | 8e0ceeb09481b4e3ac1eb41916fd094febc92d81 | |
| parent | 0a21f0379060a0a1d52df9b8f89ef4d74aaf652e (diff) | |
| download | ghostpdl-de3e7e6f29303e121599d413b97763946e2f39df.tar.gz | |
oss-fuzz 50834: Add code buffer bounds check in Ins_NPUSHW()
The wrinkle is that for each arg pushed, it reads two values from the code
buffer.
| -rw-r--r-- | base/ttinterp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/base/ttinterp.c b/base/ttinterp.c index 23a7c949e..722369fb6 100644 --- a/base/ttinterp.c +++ b/base/ttinterp.c @@ -2350,7 +2350,9 @@ static int nInstrCount=0; L = (Int)CUR.code[CUR.IP + 1]; - if ( BOUNDS( L, CUR.stackSize+1-CUR.top ) ) + /* GET_ShortIns() reads two values from the execution stream */ + if ( BOUNDS( L, CUR.stackSize+1-CUR.top ) + || BOUNDS( L * 2, CUR.codeSize+1-CUR.IP)) { CUR.error = TT_Err_Stack_Overflow; return; |